Blog Site of the SamlMan, Connecting Apps in a Cloudy World

Using Impersonation with the Yammer APIs

One of the things that isn’t particularly well known about the Yammer APIs is that its OAuth infrastructure does support a form of impersonation (at least that’s how I describe it). This can be extraordinarily useful when you need to access data on behalf of another user and do so within the constraints of the content they have rights to see, as well as to create content as if it was posted by them. You’ll find a small amount of documentation about this on the Yammer developer site at http://developer.yammer.com/authentication near the bottom of the page. In short, what you need in order to do this is a verified admin account, and then that account can get an access token on behalf of another user; all you need to know is that user’s Yammer ID.

As I mentioned above, you’ll want to start by using a service account, and that service account needs to be an verified admin in your Yammer network. Once you have created and configured the account, I recommend using the methods I described in my previous posts to manually obtain an access token for it. Once you have that, the rest of the process is relatively straightforward. Let’s suppose for the sake of illustration that you want to add a user to a Yammer group (not something we recommend doing by the way – we actually discourage it, but it’s a simple API so is good for demonstration purposes). Assume the user has an ID of 150493 and we want to add him to a Yammer group with an ID of 123456. At a high level we’re going to do this:

1) Make a request to the tokens REST endpoint and pass to it the ID of the user you want to get an access token for, the client ID of your application, and the access token of your verified admin.

2) Take the JSON you get back and extract from it the access token for the user.

3) Make a POST request to the JSON endpoint to add the user to a group; send along the access token for the user that is being added.

Now a couple of things for discussion. First, this code uses the techniques that I describe in my original Yammer .NET post here: http://blogs.technet.com/b/speschka/archive/2013/10/05/using-the-yammer-api-in-a-net-client-application.aspx. For example – how do you get the user ID for a person? Well I describe some options in that first post; in this case I have a very small network so I had made a call to get all of the users in my network and then I found the one I wanted to use. When you look at that post you’ll see that I serialize the data for users into an object that includes the ID so in my actual code I can just use something like YammerUser.UserID.

The next thing worth noting is that I’m again using the simplified methods I described in that post to work with the REST endpoints: MakeGetRequest and MakePostRequest. If you want more information on those then check out that first posting. Finally, I used the same methodology I described in that original post to serialize the JSON data that I got from requesting the access token for the user into a .NET object. That’s where the List<YammerToken> call came from. This is a new call that I added serialization support for in this post so I’ve attached the class I used for serialization to this posting.

So, as you see, once you have the background and the code from the first Yammer .NET posting I did, the actual process for doing this kind of impersonation with the Yammer REST endpoints is pretty straightforward and easy. From searching to retrieving content, having the ability to impersonate another user can be quite valuable when building your Yammer applications.

Hey George, not sure what issue you’re seeing. I just tried clicking on both of the links you left in your comment above and it correctly redirected me to the new location on this blog where those articles are located.

Search Share-n-Dipity

Search for:

SamlMan.Com

Hi, I'm Steve Peschka and I am the SamlMan - come see me at http://samlman.com. I'm always happy to talk to you about your SharePoint, o365, Azure and other cloud-related security and authentication projects.